MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK...

42
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Innovation Day 2018 MySQL Enterprise Security & Regulatory Compliance Mike Frank – MySQL Product Management Director Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Transcript of MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK...

Page 1: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Innovation Day2018

MySQL Enterprise Security & Regulatory ComplianceMike Frank – MySQL Product Management Director

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Page 2: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Page 3: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Program Agenda

Security and Regulatory Challenges

MySQL Security Solutions

The Details

New Security Features in MySQL 8

1

2

3

4

Confidential – Oracle Internal/Restricted/Highly Restricted 3

Page 4: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Complexity growsRisk Grows

4

Page 5: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Regulatory Compliance• Regulations

– PCI – DSS: Payment Card Data

– HIPAA: Privacy of Health Data

– Sarbanes Oxley, GLBA, The USA Patriot Act:

Financial Data, NPI "personally identifiable financial information”

– EU General Data Protection Directive: Protection of Personal Data (GDPR)

• Requirements

– Continuous Monitoring (Users, Schema, Backups, etc)

– Data Protection (Encryption, Privilege Management, etc.)

– Data Retention (Backups, User Activity, etc.)

– Data Auditing (User activity, etc.)

5

Page 6: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Large Fines

• GDPR– The greater of 20,000,000 Euros or 4% of

annual revenue

• PCI – Range from $5,000 to $500,000

• HIPAA– Fines up to $400 to $50k per violation (or per

record)

Large Losses

• $3.62 Million – Average cost of a breach

• WW $141 per stolen record– The average per capita cost of data breach was

$225 in the United States

• Faster the data breach can be identified and contained, the lower the costs.

Cost of Regulatory Compliance

6

* Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview

Page 7: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

All regulations prescribe - Appropriate Security Controls

For example GDPR States

• Data must be processed with controls that provide “appropriate security and confidentiality “

• Exact security controls are not specified in the GDPR

– WHAT to achieve

– BUT - Not HOW to do it

Confidential – Oracle Internal 7

Page 8: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Generally Regulations Focus on 4 Core Security Areas

• Assessment– Processes, Profiles, Data Sensitivity, Risks

• Prevention– Encryption, Masking and Anonymization, Access Controls, Separation of Duties

• Detection– Auditing, Activity monitoring, Alerting, Reporting

• Recovery– Attack recovery - using Backup/Restore, HA, Warm Standby servers

8

Page 9: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL and Achieving Your Compliance Goals

• Many things provided by MySQL–Products

–Features

–Best Practices

–White Papers, Webinars – PCI, GDPR, General Best Practices

–Technical Documents

–Third Party Integrations

9

Page 10: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |10

EnterpriseSecurity Architecture Workbench

Enterprise Monitor

Enterprise Encryption

Firewall

Key Vault

Enterprise Authentication

Network Encryption

Enterprise Audit

Audit Vault

Strong Authentication

Access Controls

Assess Prevent Detect Recover

Enterprise Backup

HA•Innodb Cluster

Thread Pool

Page 11: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Assess Security Risks

11

DiscoverPersonal

Data

ScanSecurity

Configuration

PrivilegeAnalysis

Page 12: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Assess - MySQL Enterprise Features

• Assess Risks

– MySQL Enterprise Monitor• Account assessment and reporting

• Identifies Security Vulnerabilities – discover security holes, advises remediating actions

– Advisors provide rules designed to enforce security best practices and alert upon discovering vulnerabilities

– MySQL Enterprise Workbench• Discover tables and columns containing “Personal Data”

• Data Modeling tool - Reverse Engineering of Data Model to review data stored in the database

• Schema Inspector, Table Inspectors – for schema assessment, grant inspection

– MySQL Security Best Practices Guidelines

12

Page 13: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Monitor

• Enforce MySQL Security Best Practices

– Identifies Vulnerabilities

– Assesses current setup against security hardening policies

• Monitoring & Alerting

– User Monitoring

– Password Monitoring

– Schema Change Monitoring

– Backup Monitoring

– Configuration Management

– Configuration Tuning Advice

• Centralized User Management

13

"I definitely recommend the MySQL Enterprise

Monitor to DBAs who don't have a ton of

MySQL experience. It makes monitoring

MySQL security, performance and availability

very easy to understand and to act on.”

Sandi Barr

Sr. Software Engineer

Schneider Electric

Page 14: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Monitor

• Administrative Privileges

• Database Privileges

• Session Limits and Object Privileges

• User privileges

– Creating, altering and deleting databases

– Creating, altering and deleting tables

– Execute INSERT, SELECT, UPDATE, DELETE queries

– Create, execute, or delete stored procedures and with what rights

– Create or delete indexes

Assess MySQL Authorization

14

Security Privilege Management in MySQL Workbench

Page 15: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Assess your data and data model using MySQL Workbench

15

Page 16: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Prevent - MySQL Enterprise Features

• Prevent Attacks

– MySQL Enterprise Security – Transparent Data Encryption• Includes Key Management

• Protects Tablespace via Encryption, Keys via Key Manager/Vault integration

– MySQL Enterprise Security – Firewall• MySQL Firewall Statement/User/IP Whitelists, Rules

– MySQL Enterprise Security – Authentication• Centralized Authentication Infrastructure

– DBA configurable IP whitelisting, Connection Limits, …• Via server level and via per Account IP/Hostname Controls, Account resource limits,

– In transit data encryption -• Full support for TLS 1.2 - X509, Certificate Authorities, Exclude Lists, etc.

16

Page 17: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Database

Encrypted

Tablespace

Files,

Redo/Undo (8.0)

Protected

Key

Hacker /

Dishonest OS User

Accesses

Files Directly

Information

Access Blocked

By Encryption

MySQL Enterprise Transparent Data EncryptionProtects against Attacks on Database Files

Page 18: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

What is Transparent Data Encryption?

• Data at Rest Encryption

– Tablespaces, Disks, Storage, OS File system

• Transparent to applications and users

– No application code, schema or data type changes

• Transparent to DBAs– Keys are hidden from DBAs, no configuration changes

• Requires Key Management

– Protection, rotation, storage, recovery

Confidential – Oracle Internal/Restricted/Highly Restricted 18

Page 19: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Using MySQL Transparent Data Encryption is EASY

SQL

• New option in CREATE TABLE ENCRYPTION=“Y”

• New SQL : ALTER INSTANCE ROTATE INNODB MASTER KEY

Plugin Infrastructure

• New plugin type : keyring

• Ability to load plugin before InnoDBinitialization : --early-plugin-load

Keyring plugin

• Used to retrieve keys from Key Stores

• Over Standardized KMIP protocol

InnoDB

• Support for encrypted tables

• IMPORT/EXPORT of encrypted tables

• Support for master key rotation

Confidential – Oracle Internal/Restricted/Highly Restricted 19

Page 20: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |

• KMIP – Key Management Interoperability Protocol

(Oasis Standard)

– Keys are protected and secure

• KMIP mode tested with the following products

– Oracle Key Vault (OKV)

– Gemalto Safenet KeySecure

– Fornetix Key Orchestration Appliance

– Thales Vormetric Key Manager

• Enables customers to meet regulatory

requirements

• Additional Options

– New! Encrypted Key Ring File

• MySQL 5.7.21

Also

– Cloud Key Services

• New! with 8.0 GA

– Encrypted UNDO/REDO

– …

MySQL Enterprise Transparent Data EncryptionKMIP Compliant

Page 21: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall: Overview

21

Inbound

SQL Traffic

Web

Applications

SQL Injection Attack

Via Brower

ALLOW

BLOCK

DETECT

1

2

3

Instance

MySQL Enterprise FirewallInternet

Page 22: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall• Real Time Protection

– Queries analyzed and matched against White List

• Blocks SQL Injection Attacks

– Block Out of Policy Transactions

• Intrusion Detection

– Detect and Alert on Out of Policy Transactions

• Learns White List

– Automated creation of approved list of SQL command patterns on a per user basis

• Transparent

– No changes to application required

• New Feature in 5.7.20+ – Firewall Rules – VIA Audit Plugin abort()

– Create more general allow/deny firewall rules using JSON syntax.

22

MySQL Enterprise Firewall monitoring

Page 23: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Authentication

23

• Integrate with Centralized Authentication Infrastructure

– Centralized Account Management

– Password Policy Management

– Groups & Roles

Supports

– Windows Active Directory

– Linux PAM (Pluggable Authentication Modules)

– New! Native LDAP• Ultra Fast and Flexible

Integrates MySQL with existing security infrastructures

Page 24: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Detect - MySQL Enterprise Features

• Detect

– MySQL Enterprise Security – Audit• Policy-based auditing solution – gather audit log of activity

• Use to spot database misuse

• Use to prove compliance to GDPR

– MySQL Enterprise Security – Firewall• Real-time protection against database specific attacks

• Use to alert and/or block nefarious activity – such as personal data leakage

24

Page 25: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Focus on MySQL Enterprise Audit

• Many regulations or security guidelines – for example GDPR

– Mandate recording or auditing of the activities on the Personal Data

– Recommend records must be maintained centrally - responsibility of the Controller.

– Processors and third-parties must not be able to tamper or destroy the audit records.

– In addition to book-keeping, auditing helps in forensic analysis in case of a breach.

• MySQL Enterprise Audit data can be

– New! Privileged users can access RO via SQL (Often DBA SSH access to server is forbidden)

– Maintained in Oracle Audit Vault – certified, Splunk, others

– Outputs standard XML or JSON that easily integrate with various 3rd party solutions

– Supports encryption (MySQL 5.7.18+)

– Can direct security logs to write-once storage,

25

Page 26: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Audit - Work Flow

26

• NEW! SQL

Page 27: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Detect - MySQL Enterprise Features

–MySQL Enterprise Workbench• Security related –

– Inspect Audit Data

– Configure Firewall

– Manage Users

– Schema and Table Inspectors show ACLs/Users

–MySQL Enterprise Monitor• Monitor/Alert on Firewall, Audit, Backups and more

• Detect configuration changes

27

Page 28: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Recover

Disaster Recovery - ensure availability of end-user data

• Backup

– MySQL Enterprise Backup• Includes encryption

• Support for MySQL TDE

– Oracle Cloud MySQL database service includes Backup and Recovery

• Audit– Post Mortem Analysis

Confidential – Oracle Internal 28

Page 29: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Recover

Disaster Recovery - ensure availability of end-user data

• HA

– Various options • MySQL InnoDB Cluster

– Based on MySQL Group Replication (mulit-master)

• Traditional MySQL Replication Topologies

Confidential – Oracle Internal 29

Page 30: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Additional Security Controls

Hashing, Signing, Encryption, Key Ring Functions

– Symmetric Encryption – AES

– Hashing – SHA-2, SHA-1

– Asymmetric Public Key Encryption (RSA)

– Asymmetric Private Key Decryption (RSA)

– Generate Public/Private Key (RSA, DSA, DH)

– Derive Symmetric Keys from Public and Private Key pairs (DH)

– Digitally Sign Data (RSA, DSA)

– Verify Data Signature (RSA, DSA)

– Validation Data Authenticity (RSA, DSA)

– Get, Put Keys with ACLs

Confidential – Oracle Internal 30

Page 31: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

New Security Features in MySQL 8.0

Confidential – Oracle Internal/Restricted/Highly Restricted 31

Page 32: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

New! MySQL Roles

Improving MySQL Access Controls

• Introduced in the 8.0.0 DMR

• Easier to manage user and applications rights

• As standards compliant as practically possible

• Multiple default roles

• Can export the role graph in GraphML

32

Feature Requestfrom DBAs

Directly

In directly

Set Role(s)

Default Role(s)Set ofACLS

Set ofACLS

Page 33: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

New! Atomic ACL Statements

• Long standing MySQL issue!

– For Replication, HA, Backups, etc.

• Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary

• Not just a table operation: memory caches need update too

• Applies to statements performing multiple logical operations, e.g.

– CREATE USER u1, u2

– GRANT SELECT ON *.* TO u1, u2

• Uses a custom MDL lock to block ACL related activity

– While altering the ACL caches and tables

33

Feature Requestfrom DBAs

Page 34: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

New! Dynamic Privileges

Provides finer grained administrative level access controls

• Too often super is required for tasks when less privilege is really needed

• Needed to allow adding administrative access controls

• SUPER privilege split into a set of dynamic privileges, e.g.– SYSTEM_VARIABLES_ADMIN

– ROLE_ADMIN

– CONNECTION_ADMIN, etc.

• Each plugin can now register and use their own unique privileges

• All existing MySQL plugins currently using SUPER are updated to add specific privileges, e.g.

34

Page 35: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

New! OpenSSL Dynamically Linked / FIPS Module Support

• Dynamically Linked in 8.0 CAN

– Use optimized OpenSSL Libraries (use AES-NI acceleration)

– Be patched without MySQL Upgrade

– Run with OpenSSL FIPS Object Module • Meeting US Federal Requirements

• Provides confidentiality, integrity and message digest services.

– Leverage OpenSSL engines (HSMs etc)• Moves cryptography off CPU - dedicated cryptography devices

• Meeting more stringent security requirements

• May improve performance

35

Page 36: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

MySQL Password Policies

• Accounts without Passwords

– Assign passwords to all accounts to prevent unauthorized use

• Password Validation Plugin

– Enforce Strong Passwords

• Password Expiration/Rotation– Require users to reset their password

• Account lockout (in v. 5.7)

• Password Retry Rules (in v. 5.7.16+)

• New! Password History (in v. 8.0)

36

Page 37: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

New! Caching_SHA_256 – Highly Secure with Performance

• MySQL supports very High Performance Connections

– Enabled by fast challenge-response mechanism which is very quick

– Mysql_native_password relies on SHA1 algorithm

• Security Experts recommend against using SHA1– Recommend multiple rounds of SHA256 hash on a salted password

– However this is SLOW – high level of processing is required

• Enter Caching_SHA_256

– FAST and SECURE

– Majority of connection attempts it uses a cached copy of the password hash

37

Page 38: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |38

EnterpriseSecurity Architecture Workbench

•Model•Data•Audit Data•User Management

Enterprise Monitor•Identifies Vulnerabilities•Security hardening policies•User Monitoring•Password Monitoring•Schema Change Monitoring•Backup Monitoring

Enterprise Encryption•TDE•Encryption•PKI

Firewall

Key Vault

Enterprise Authentication•SSO - LDAP, AD, PAM

Network Encryption

Enterprise Audit•Powerful Rules Engine

Audit Vault

Strong Authentication

Access Controls

Assess Prevent Detect Recover

Enterprise Backup

HA•Innodb Cluster

Thread Pool

Page 39: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Security Direction

Continuing to focus in areas such as

• TDE / Encryption / Key Management

• Masking

• Audit

• Firewall

• Authentication

• Integration to various Oracle Cloud Services

Confidential – Oracle Internal/Restricted/Highly Restricted 39

Customer feedback and requirements drive our

priorities

Tell us what you want, need, etc.

Provide us your problematic

use cases

Page 40: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

Security Resources

• http://mysqlserverteam.com/

• http://insidemysql.com/

• https://blogs.oracle.com/mysql

• https://www.mysql.com/why-mysql/#en-0-40

• https://www.mysql.com/why-mysql/presentations/#en-17-40

• https://www.mysql.com/news-and-events/on-demand-webinars/#en-20-40

• https://www.mysql.com/news-and-events/health-check/

40

Page 41: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic

Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |

References

• MySQL Enterprise Security

• MySQL Enterprise Authentication

• MySQL Enterprise Firewall

• MySQL Enterprise Transparent Data Encryption

• MySQL Enterprise Audit

• MySQL Enterprise Backup

• MySQL Enteprise Monitor

• Encryption Functions

• Enterprise Encryption Functions

Confidential – Oracle Internal 41

Page 42: MySQL Innovation Day MySQL Enterprise Security ... · SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance ... –In addition to book-keeping, auditing helps in forensic